From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 26 Nov 2019 14:40:07 +0800
Subject: efi: Lock down the kernel at the integrity level if booted in secure boot mode
Patch-mainline: Never, SUSE specific tweak 
References: jsc#SLE-9870

The perf and bpf are restricted in confidentiality level, but those
functions are available on SLE. So we use integrity level here.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 arch/x86/kernel/setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1036,7 +1036,7 @@ void __init setup_arch(char **cmdline_p)
 
 #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 	if (efi_enabled(EFI_SECURE_BOOT))
-		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
 #endif
 
 	reserve_ibft_region();